Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 144861

Summary: media-sound/streamripper remote buffer overflows (CVE-2006-3124)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chutzpah, gentoo, sound, tcort
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/project/shownotes.php?release_id=442124&group_id=6172
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
streamripper.bufoflows.patch
none
streamripper-1.61.25.ebuild
none
streamripper-1.61.25-CVE-2006-3124 none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-23 08:23:33 UTC
I have found some remote buffer overflows in streamripper. They occur when
a streamripper user connects to a malicious server - by being social
engineered into doing so or by technical means such as DNS poisoning.

The overflows are stack-based and gives an attacker the opportunity to
run arbitrary machine code programs.

I have attached a patch and a test-exploit (must be started from inetd/xinetd)
that shows in gdb which registers that can be overwritten (a lot).

I hope that we can cooperate on solving this security problem and agree on a
release date when we will make this public in a coordinated manner.

// Ulf Harnhammar, Debian Security Audit Project
   http://www.debian.org/security/audit/
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-23 08:24:43 UTC
Created attachment 94940 [details, diff]
streamripper.bufoflows.patch
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-23 08:25:22 UTC
Chainsaw please attach an ebuild to this bug or be prepared to commit tomorrow at some point.
Comment 3 Tony Vroon (RETIRED) gentoo-dev 2006-08-23 08:42:09 UTC
Please note that I have touched this package only once, in the distant past (a year ago). I consider GTK+ 1 a legacy library which has been locally masked on my system for at least 6 months.
I am CC'ing the two people that possibly care about this package. I for one do not, and would suggest that we package.mask this if nobody steps up.
Comment 4 Patrick McLean gentoo-dev 2006-08-23 09:02:43 UTC
I have no problem with dropping this package.
Comment 5 Thomas Cort (RETIRED) gentoo-dev 2006-08-23 11:19:39 UTC
(In reply to comment #3)
> I consider GTK+ 1 a legacy library which has been locally masked on
> my system for at least 6 months.

Chainsaw, are we talking about the same package here? 

media-sound/streamripper-1.61.17 only depends on libogg, libvorbis, and libmad.

tcort@cheese /usr/portage/media-sound/streamripper $ grep gtk *
tcort@cheese /usr/portage/media-sound/streamripper $ grep GTK *
tcort@cheese /usr/portage/media-sound/streamripper $


> I am CC'ing the two people that possibly care about this package. I for one do
> not, and would suggest that we package.mask this if nobody steps up.

I care :) 

(In reply to comment #2)
> Chainsaw please attach an ebuild to this bug or be prepared to commit tomorrow
> at some point.

The package needs a version bump too (Bug #128563). I'll attach an updated ebuild and patch for 1.61.25 later today. I'll be moving and without internet access for a week starting tomorrow. So you'll either need someone else to commit it or have me commit it soon after midnight tonight.
Comment 6 Thomas Cort (RETIRED) gentoo-dev 2006-08-23 11:40:56 UTC
Created attachment 94954 [details]
streamripper-1.61.25.ebuild

An ebuild for streamripper-1.61.25. Solves Bug #128563 (version bump request) and this bug.
Comment 7 Thomas Cort (RETIRED) gentoo-dev 2006-08-23 11:43:54 UTC
Created attachment 94955 [details, diff]
streamripper-1.61.25-CVE-2006-3124

Buffer overflow patch for streamripper-1.61.25. Same as attachment #94940 [details, diff] but for 1.61.25. (i.e. the file lib/http.c changed and the fixes happen on different line numbers now).
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-25 00:40:03 UTC
This one is public now.

Sound please commit the updated ebuild.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-29 11:20:52 UTC
*** Bug 128563 has been marked as a duplicate of this bug. ***
Comment 10 trefoil 2006-08-29 16:21:27 UTC
FYI Streamripper 1.61.26 also incorporates the fix.
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-08-31 05:58:25 UTC
An ebuild for streamripper-1.61.26 has been committed. It contains the fixes in attachment #94955 [details, diff].
Comment 12 Thomas Cort (RETIRED) gentoo-dev 2006-08-31 07:01:21 UTC
Arch teams, please test and mark stable =media-sound/streamripper-1.61.26

Testing hints...

  Testing Streaming MP3 Ripping:
    Go to http://www.shoutcast.com/
    Click on one of the "Tune In!" buttons to download shoutcast-playlist.pls
    Look in the *.pls file for a URL, ex: http://64.236.34.196:80/stream/1074
    Run "streamripper http://64.236.34.196:80/stream/1074"
    Other options are explained in the man page.
    Use ctrl+c to quit
    Try playing the ripped songs, they are in $(pwd)/${STATION}/*.mp3

  Testing Streaming OGG/Vorbis Ripping (requires the 'vorbis' USE flag):
    Go to http://dir.xiph.org/index.php
    Click on one of the "Ogg Vorbis" buttons to download listen.m3u
    Look in the *.m3u file for a URL.
    Rip some songs (as described above) and try playing the ripped files.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-31 10:24:47 UTC
Thx Thomas.

Arches please test and mark stable.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2006-08-31 11:25:00 UTC
ppc64 stable
Comment 15 Christoph Mende (RETIRED) gentoo-dev 2006-08-31 12:48:20 UTC
emerges fine on amd64, passes multilib-strict and collision-test, rips mp3/ogg without any problems.

Portage 2.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.17-gentoo-r7 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.4
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-test distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO8859-1"
LC_ALL="en_US.ISO8859-1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa asf avi berkdb bitmap-fonts bzip2 cairo cdda cddb cdinstall cdr cli crypt cups dbus dlloader dri dvd dvdr emboss encode expat fam firefox fortran gdbm gif glut gpm gstreamer gtk gtk2 hal imagemagick isdnlog jpeg lcms ldap libg++ lirc mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection sdl session socks5 spl ssl svg tcpd tiff truetype truetype-fonts type1-fonts udev unicode v4l v4l2 vorbis xine xinerama xml xorg xv zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse kernel_linux lirc_devices_hauppauge userland_GNU video_cards_fglrx video_cards_radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2006-08-31 13:27:16 UTC
sparc stable.
Comment 17 Thomas Cort (RETIRED) gentoo-dev 2006-08-31 13:31:06 UTC
amd64 stable.
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-01 10:28:48 UTC
ppc stable
Comment 19 Markus Meier gentoo-dev 2006-09-02 04:57:16 UTC
1.) emerges fine on x86 with and without USE="vorbis" (with gcc 3.4 and 4.1.1)
2.) passes collision test
3.) mp3 and ogg ripping works fine

Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-3.4.6, glibc-2.4-r3, 2.6.17.6 i686)
=================================================================
System uname: 2.6.17.6 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.4
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.3.5-r2, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 avi bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal ipv6 isdnlog java jpeg kde kdeenablefinal ldap libclamav libg++ logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre pdflib perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb vcd vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_en linguas_de linguas_en_GB userland_GNU video_cards_nv video_cards_none"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2006-09-03 07:51:22 UTC
1) emerges fine
2) passes collision test
3) works

Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r7 i686)
=================================================================
System uname: 2.6.17-gentoo-r7 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.4
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 21 Joshua Jackson (RETIRED) gentoo-dev 2006-09-03 23:45:48 UTC
x86's bad, we're the last and now stable ^.^;;
Comment 22 Thomas Cort (RETIRED) gentoo-dev 2006-09-04 05:19:32 UTC
Everyone's stable that needs to be stable. Removed the old and/or vulnerable ebuilds.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-04 07:39:17 UTC
Reopening for GLSA. 

Thomas please don't close security bugs.
Comment 24 Thomas Cort (RETIRED) gentoo-dev 2006-09-04 14:29:49 UTC
(In reply to comment #23)

> Thomas please don't close security bugs.

I didn't, tsunam did....

From: bugzilla-daemon@gentoo.org
To: tcort@gentoo.org
Subject: [Bug 144861] media-sound/streamripper remote buffer overflows (CVE-2006-3124)
Date: Mon, 04 Sep 2006 06:45:43 +0000


Clear-Text: http://bugs.gentoo.org/show_bug.cgi?id=144861
Secure: https://bugs.gentoo.org/show_bug.cgi?id=144861


tsunam@gentoo.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|x86@gentoo.org              |
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Comment #21 from tsunam@gentoo.org  2006-09-03 23:45 PST -------
x86's bad, we're the last and now stable ^.^;;
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 01:56:19 UTC
Ok, sorry I missed that initially.
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-06 08:20:24 UTC
GLSA 200609-01